[meta-virtualization] [PATCH] libvirt: don't mount securityfs or selinux if userns enabled
Bruce Ashfield
bruce.ashfield at gmail.com
Thu Oct 3 19:43:59 PDT 2013
On Wed, Oct 2, 2013 at 9:17 PM, Mark Asselstine
<mark.asselstine at windriver.com> wrote:
> commit 6807238d87fd [Ensure securityfs is mounted readonly in
> container] from upstream libvirt requires securityfs to be mounted,
> always. Failing to use a kernel without SECURITYFS support results in
> the following error when you attempt to start a lxc guest:
>
> error : lxcContainerMountBasicFS:807 : Failed to mkdir securityfs: No
> such file or directory Input/output error
>
> Here we apply an upstream fix for this which allows you to use userns
> support instead of SECURITYFS, by using <idmap> in your guest config.
>
> A similar situation exists for SELINUX so here we are bringing in 2
> more upstream commits, the first for context and the second, which
> like the securityfs patch, doesn't force selinux to be mounted if
> userns is used.
>
Looks fine from here.
merged.
Bruce
> Signed-off-by: Mark Asselstine <mark.asselstine at windriver.com>
> Cc: Bogdan Purcareata <bogdan.purcareata at freescale.com>
> ---
> ...ount-securityfs-when-user-namespace-enabl.patch | 52 ++++++++
> ...ry-to-mount-selinux-filesystem-when-user-.patch | 48 +++++++
> ...of-mounts-out-of-lxcContainerMountBasicFS.patch | 147 +++++++++++++++++++++
> recipes-extended/libvirt/libvirt_1.1.2.bb | 3 +
> 4 files changed, 250 insertions(+)
> create mode 100644 recipes-extended/libvirt/libvirt/LXC-Don-t-mount-securityfs-when-user-namespace-enabl.patch
> create mode 100644 recipes-extended/libvirt/libvirt/LXC-don-t-try-to-mount-selinux-filesystem-when-user-.patch
> create mode 100644 recipes-extended/libvirt/libvirt/Move-array-of-mounts-out-of-lxcContainerMountBasicFS.patch
>
> diff --git a/recipes-extended/libvirt/libvirt/LXC-Don-t-mount-securityfs-when-user-namespace-enabl.patch b/recipes-extended/libvirt/libvirt/LXC-Don-t-mount-securityfs-when-user-namespace-enabl.patch
> new file mode 100644
> index 0000000..40f8dd9
> --- /dev/null
> +++ b/recipes-extended/libvirt/libvirt/LXC-Don-t-mount-securityfs-when-user-namespace-enabl.patch
> @@ -0,0 +1,52 @@
> +From 1583dfda7c4e5ad71efe0615c06e5676528d8203 Mon Sep 17 00:00:00 2001
> +From: Gao feng <gaofeng at cn.fujitsu.com>
> +Date: Thu, 5 Sep 2013 11:50:40 +0100
> +Subject: [PATCH] LXC: Don't mount securityfs when user namespace enabled
> +
> +commit 1583dfda7c4e5ad71efe0615c06e5676528d8203 from
> +git://libvirt.org/libvirt.git
> +
> +Right now, securityfs is disallowed to be mounted in non-initial
> +user namespace, so we must avoid trying to mount securityfs in
> +a container which has user namespace enabled.
> +
> +Signed-off-by: Gao feng <gaofeng at cn.fujitsu.com>
> +---
> + src/lxc/lxc_container.c | 7 +++++--
> + 1 file changed, 5 insertions(+), 2 deletions(-)
> +
> +diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
> +index 8abaea0..c41ab40 100644
> +--- a/src/lxc/lxc_container.c
> ++++ b/src/lxc/lxc_container.c
> +@@ -750,7 +750,7 @@ err:
> + }
> +
> +
> +-static int lxcContainerMountBasicFS(void)
> ++static int lxcContainerMountBasicFS(bool userns_enabled)
> + {
> + const struct {
> + const char *src;
> +@@ -801,6 +801,9 @@ static int lxcContainerMountBasicFS(void)
> + continue;
> + #endif
> +
> ++ if (STREQ(mnts[i].src, "securityfs") && userns_enabled)
> ++ continue;
> ++
> + if (virFileMakePath(mnts[i].dst) < 0) {
> + virReportSystemError(errno,
> + _("Failed to mkdir %s"),
> +@@ -1530,7 +1533,7 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
> + goto cleanup;
> +
> + /* Mounts the core /proc, /sys, etc filesystems */
> +- if (lxcContainerMountBasicFS() < 0)
> ++ if (lxcContainerMountBasicFS(vmDef->idmap.nuidmap) < 0)
> + goto cleanup;
> +
> + /* Mounts /proc/meminfo etc sysinfo */
> +--
> +1.8.1.2
> +
> diff --git a/recipes-extended/libvirt/libvirt/LXC-don-t-try-to-mount-selinux-filesystem-when-user-.patch b/recipes-extended/libvirt/libvirt/LXC-don-t-try-to-mount-selinux-filesystem-when-user-.patch
> new file mode 100644
> index 0000000..f058293
> --- /dev/null
> +++ b/recipes-extended/libvirt/libvirt/LXC-don-t-try-to-mount-selinux-filesystem-when-user-.patch
> @@ -0,0 +1,48 @@
> +From 1c7037cff42dde35913dde533b31ee1da8c2d6e0 Mon Sep 17 00:00:00 2001
> +From: Gao feng <gaofeng at cn.fujitsu.com>
> +Date: Thu, 12 Sep 2013 11:51:31 +0800
> +Subject: [PATCH] LXC: don't try to mount selinux filesystem when user namespace enabled
> +
> +commit 1c7037cff42dde35913dde533b31ee1da8c2d6e0 from
> +git://libvirt.org/libvirt.git
> +
> +Right now we mount selinuxfs even user namespace is enabled and
> +ignore the error. But we shouldn't ignore these errors when user
> +namespace is not enabled.
> +
> +This patch skips mounting selinuxfs when user namespace enabled.
> +
> +Signed-off-by: Gao feng <gaofeng at cn.fujitsu.com>
> +---
> + src/lxc/lxc_container.c | 8 +-------
> + 1 file changed, 1 insertion(+), 7 deletions(-)
> +
> +diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
> +index ddc6e3d..a979452 100644
> +--- a/src/lxc/lxc_container.c
> ++++ b/src/lxc/lxc_container.c
> +@@ -868,7 +868,7 @@ static int lxcContainerMountBasicFS(bool userns_enabled)
> +
> + #if WITH_SELINUX
> + if (STREQ(mnt->src, SELINUX_MOUNT) &&
> +- !is_selinux_enabled())
> ++ (!is_selinux_enabled() || userns_enabled))
> + continue;
> + #endif
> +
> +@@ -885,12 +885,6 @@ static int lxcContainerMountBasicFS(bool userns_enabled)
> + VIR_DEBUG("Mount %s on %s type=%s flags=%x, opts=%s",
> + srcpath, mnt->dst, mnt->type, mnt->mflags, mnt->opts);
> + if (mount(srcpath, mnt->dst, mnt->type, mnt->mflags, mnt->opts) < 0) {
> +-#if WITH_SELINUX
> +- if (STREQ(mnt->src, SELINUX_MOUNT) &&
> +- (errno == EINVAL || errno == EPERM))
> +- continue;
> +-#endif
> +-
> + virReportSystemError(errno,
> + _("Failed to mount %s on %s type %s flags=%x opts=%s"),
> + srcpath, mnt->dst, NULLSTR(mnt->type),
> +--
> +1.8.1.2
> +
> diff --git a/recipes-extended/libvirt/libvirt/Move-array-of-mounts-out-of-lxcContainerMountBasicFS.patch b/recipes-extended/libvirt/libvirt/Move-array-of-mounts-out-of-lxcContainerMountBasicFS.patch
> new file mode 100644
> index 0000000..2c7b0ee
> --- /dev/null
> +++ b/recipes-extended/libvirt/libvirt/Move-array-of-mounts-out-of-lxcContainerMountBasicFS.patch
> @@ -0,0 +1,147 @@
> +From f27f5f7eddf531159d791a2b5ac438ca011b5f26 Mon Sep 17 00:00:00 2001
> +From: "Daniel P. Berrange" <berrange at redhat.com>
> +Date: Tue, 10 Sep 2013 13:35:12 +0100
> +Subject: [PATCH] Move array of mounts out of lxcContainerMountBasicFS
> +
> +commit f27f5f7eddf531159d791a2b5ac438ca011b5f26 from
> +git://libvirt.org/libvirt.git
> +
> +Move the array of basic mounts out of the lxcContainerMountBasicFS
> +function, to a global variable. This is to allow it to be referenced
> +by other methods wanting to know what the basic mount paths are.
> +
> +Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
> +---
> + src/lxc/lxc_container.c | 79 ++++++++++++++++++++++++++-----------------------
> + 1 file changed, 42 insertions(+), 37 deletions(-)
> +
> +diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
> +index 661ac52..6f241d3 100644
> +--- a/src/lxc/lxc_container.c
> ++++ b/src/lxc/lxc_container.c
> +@@ -750,45 +750,50 @@ err:
> + }
> +
> +
> +-static int lxcContainerMountBasicFS(bool userns_enabled)
> +-{
> +- const struct {
> +- const char *src;
> +- const char *dst;
> +- const char *type;
> +- const char *opts;
> +- int mflags;
> +- } mnts[] = {
> +- /* When we want to make a bind mount readonly, for unknown reasons,
> +- * it is currently necessary to bind it once, and then remount the
> +- * bind with the readonly flag. If this is not done, then the original
> +- * mount point in the main OS becomes readonly too which is not what
> +- * we want. Hence some things have two entries here.
> +- */
> +- { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
> +- { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND },
> +- { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
> +- { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
> +- { "sysfs", "/sys", "sysfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
> +- { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
> +- { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
> ++typedef struct {
> ++ const char *src;
> ++ const char *dst;
> ++ const char *type;
> ++ const char *opts;
> ++ int mflags;
> ++} virLXCBasicMountInfo;
> ++
> ++static const virLXCBasicMountInfo lxcBasicMounts[] = {
> ++ /* When we want to make a bind mount readonly, for unknown reasons,
> ++ * it is currently necessary to bind it once, and then remount the
> ++ * bind with the readonly flag. If this is not done, then the original
> ++ * mount point in the main OS becomes readonly too which is not what
> ++ * we want. Hence some things have two entries here.
> ++ */
> ++ { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
> ++ { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND },
> ++ { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
> ++ { "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
> ++ { "sysfs", "/sys", "sysfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
> ++ { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
> ++ { "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
> + #if WITH_SELINUX
> +- { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
> +- { SELINUX_MOUNT, SELINUX_MOUNT, NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
> ++ { SELINUX_MOUNT, SELINUX_MOUNT, "selinuxfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV },
> ++ { SELINUX_MOUNT, SELINUX_MOUNT, NULL, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY },
> + #endif
> +- };
> ++};
> ++
> ++
> ++static int lxcContainerMountBasicFS(bool userns_enabled)
> ++{
> + size_t i;
> + int rc = -1;
> +
> + VIR_DEBUG("Mounting basic filesystems");
> +
> +- for (i = 0; i < ARRAY_CARDINALITY(mnts); i++) {
> ++ for (i = 0; i < ARRAY_CARDINALITY(lxcBasicMounts); i++) {
> ++ virLXCBasicMountInfo const *mnt = &lxcBasicMounts[i];
> + const char *srcpath = NULL;
> +
> + VIR_DEBUG("Processing %s -> %s",
> +- mnts[i].src, mnts[i].dst);
> ++ mnt->src, mnt->dst);
> +
> +- srcpath = mnts[i].src;
> ++ srcpath = mnt->src;
> +
> + /* Skip if mount doesn't exist in source */
> + if ((srcpath[0] == '/') &&
> +@@ -796,34 +801,34 @@ static int lxcContainerMountBasicFS(bool userns_enabled)
> + continue;
> +
> + #if WITH_SELINUX
> +- if (STREQ(mnts[i].src, SELINUX_MOUNT) &&
> ++ if (STREQ(mnt->src, SELINUX_MOUNT) &&
> + !is_selinux_enabled())
> + continue;
> + #endif
> +
> +- if (STREQ(mnts[i].src, "securityfs") && userns_enabled)
> ++ if (STREQ(mnt->src, "securityfs") && userns_enabled)
> + continue;
> +
> +- if (virFileMakePath(mnts[i].dst) < 0) {
> ++ if (virFileMakePath(mnt->dst) < 0) {
> + virReportSystemError(errno,
> + _("Failed to mkdir %s"),
> +- mnts[i].src);
> ++ mnt->src);
> + goto cleanup;
> + }
> +
> + VIR_DEBUG("Mount %s on %s type=%s flags=%x, opts=%s",
> +- srcpath, mnts[i].dst, mnts[i].type, mnts[i].mflags, mnts[i].opts);
> +- if (mount(srcpath, mnts[i].dst, mnts[i].type, mnts[i].mflags, mnts[i].opts) < 0) {
> ++ srcpath, mnt->dst, mnt->type, mnt->mflags, mnt->opts);
> ++ if (mount(srcpath, mnt->dst, mnt->type, mnt->mflags, mnt->opts) < 0) {
> + #if WITH_SELINUX
> +- if (STREQ(mnts[i].src, SELINUX_MOUNT) &&
> ++ if (STREQ(mnt->src, SELINUX_MOUNT) &&
> + (errno == EINVAL || errno == EPERM))
> + continue;
> + #endif
> +
> + virReportSystemError(errno,
> + _("Failed to mount %s on %s type %s flags=%x opts=%s"),
> +- srcpath, mnts[i].dst, NULLSTR(mnts[i].type),
> +- mnts[i].mflags, NULLSTR(mnts[i].opts));
> ++ srcpath, mnt->dst, NULLSTR(mnt->type),
> ++ mnt->mflags, NULLSTR(mnt->opts));
> + goto cleanup;
> + }
> + }
> +--
> +1.8.1.2
> +
> diff --git a/recipes-extended/libvirt/libvirt_1.1.2.bb b/recipes-extended/libvirt/libvirt_1.1.2.bb
> index cfb406d..a12147a 100644
> --- a/recipes-extended/libvirt/libvirt_1.1.2.bb
> +++ b/recipes-extended/libvirt/libvirt_1.1.2.bb
> @@ -24,6 +24,9 @@ RCONFLICTS_${PN}_libvirtd = "connman"
>
> SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.gz \
> file://tools-add-libvirt-net-rpc-to-virt-host-validate-when.patch \
> + file://LXC-Don-t-mount-securityfs-when-user-namespace-enabl.patch \
> + file://Move-array-of-mounts-out-of-lxcContainerMountBasicFS.patch \
> + file://LXC-don-t-try-to-mount-selinux-filesystem-when-user-.patch \
> file://libvirtd.sh \
> file://libvirtd.conf"
>
> --
> 1.8.1.2
>
> _______________________________________________
> meta-virtualization mailing list
> meta-virtualization at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/meta-virtualization
--
"Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end"
More information about the meta-virtualization
mailing list